Verifying  Safety  Properties  of  a  PowerPC™1 
Microprocessor  Using  Symbolic  Model  Checking 
without  BDDs 

A.  Biere1’2,4  E.  Clarke2’4  R.  Raimi3’5  Y.  Zhu2’4 
February  1,  1999 
CMU-CS-99-146 


School  of  Computer  Science 
Carnegie  Mellon  University 
Pittsburgh,  PA  15213 


Submitted  for  CAV’99 


1ILKD,  University  of  Karlsruhe,  Postfach  6980,  76128  Karlsruhe,  Germany 
Arinin .  BiereQira .  uka .  de 


2 Computer  Science  Department,  Carnegie  Mellon  University 

5000  Forbes  Avenue,  Pittsburgh,  PA  15213 

Edmund . ClarkeQcs . emu . edu ,  Yunshan . Zhu@cs . emu . edu 


3 Motorola,  Inc.,  Somerset  PowerPC  Design  Center 
6200  Bridgeport  Pkwy.,  Bldg.  4,  Austin,  TX  78759 
Richard_Raimi@email  .mot .  sps .  com 


4Verysys  Design  Automation,  Inc. 

42707  Lawrence  Place,  Fremont,  CA  94538 

5  Computer  Engineering  Research  Center 
University  of  Texas  at  Austin 
Austin,  TX  78730 


19990802  059 

V _ _ _ 


1  PowerPC  is  a  trademark  of  the  International  Business  Machines  Corporation,  used  under  license  therefrom. 
This  research  is  sponsored  by  the  Semiconductor  Research  Corporation  (SRC)  under  Contract  No.  97-DJ-294 
and  the  National  Science  Foundation  (NSF)  under  Grant  No.  CCR-9505472. 

Any  opinions,  findings  and  conclusions  or  recommendations  expressed  in  this  material  are  those  of  the  authors 
and  do  not  necessarily  reflect  the  views  of  the  SRC,  NSF  or  the  United  States  Government. 

The  U.  S.  Government  is  authorized  to  reproduce  and  distribute  reprints  for  Government  purposes  notwith¬ 
standing  any  copyright  notation  thereon.  This  manuscript  is  submitted  for  publication  with  the  understanding 
that  the  U.  S.  Government  is  authorized  to  reproduce  and  distribute  reprints  for  Governmental  purposes. 


DISTRIBUTION  STATEMENT  A 
Approved  for  Public  Release 
Distribution  Unlimited 


Keywords:  hardware  verification,  out-of-order  execution,  temporal  logic,  symbolic  model  checking, 
boolean  satisfiability 


Abstract 


In  [2]  Bounded  Model  Checking  with  the  aid  of  satisfiability  solving  (SAT)  was  introduced  as  an  alternative  to 
traditional  symbolic  model  checking  based  on  solving  fixpoint  equations  with  BDDs.  In  this  paper  we  show  how 
bounded  model  checking  can  take  advantage  of  specialized  optimizations.  We  present  a  bounded  version  of  the 
cone  of  influence  reduction  that  works  very  well  for  verifying  safety  properties.  We  have  successfully  applied  this 
idea  to  checking  safety  properties  of  a  PowerPC  microprocessor  under  design  at  Motorola’s  Somerset  PowerPC 
design  center.  Based  on  that  experience,  we  propose  a  verification  methodology  that  we  feel  can  bring  model 
checking  into  the  mainstream  of  industrial  chip  design. 


1  Introduction 

Model  checking  has  only  been  partially  accepted  by  industry  as  a  supplement  to  traditional  verification 
techniques.  The  reasons  are  that  model  checking,  to  date,  has  been  based  on  BDDs  or  on  explicit  state 
graph  exploration,  and  these  have  not  been  robust  enough  for  industry.  Very  often,  model  checking 
cannot  be  carried  out  without  the  aid  of  by  hand  abstractions,  or  special  partitioning  of  a  design,  or 
intuitive  guesses  at  good  BDD  variable  orderings.  Too  often,  even  these  interventions  are  not  sufficient 
for  circuits  which  many  designers  would  consider  small,  circuits  with  a  few  hundred  latches  and  primary 
inputs.  In  an  industrial  environment,  it  is  usually  desired  that  verification  be  a  “background”  process, 
something  that  can  be  carried  out  by  a  program  or  script  while  a  busy  design  team  attends  to  creating 
the  actual  design.  To  date,  model  checking  has  needed  too  much  by  hand  intervention  for  that  to  be 
possible. 

Model  checking  [6,  18]  was  first  proposed  as  a  verification  technique  eighteen  years  ago.  However, 
it  was  not  until  the  discovery  of  symbolic  model  checking  techniques  based  on  BDDs  [5,  9,  16]  around 
1990  that  it  was  taken  seriously  by  industry.  The  first  BDD  based  symbolic  model  checkers  were  able  to 
verify  examples  of  significant  complexity  like  the  Futurebus-b  Cache  consistency  Protocol  [7]. 

Unfortunately,  BDD  based  model  checkers  have  suffered  from  the  fact  that  ordered  binary  decision 
diagrams  can  require  exponential  space.  In  some  cases  this  is  due  to  a  bad  choice  for  variable  ordering, 
while  in  others  it  is  inevitable  [4].  However,  the  search  for  a  good  variable  ordering  can  be  time  consuming 
and  the  results  unpredictable.  For  industrial  applications,  this  can  make  model  checking  somewhat 
unreliable;  and  this  has,  no  doubt,  slowed  its  acceptance  by  industry. 

Recently  a  new  symbolic  model  checking  technique,  called  bounded  model  checking  [2],  has  been 
proposed  that  uses  fast  satisfiability  solvers  instead  of  BDDs.  The  advantage  of  satisfiability  solvers 
like  SATO  [21],  GRASP  [19],  and  Stalmarck’s  algorithm  [20]  over  BDDs  is  that  they  never  require 
exponential  space.  In  [2],  results  were  given  which  showed  that  this  new  model  checking  technique 
sometimes  performed  much  better  than  BDD  based  symbolic  model  checking.  However,  these  were 
academic  examples,  and  doubt  remained  about  whether  bounded  model  checking  would  work  well  on 
realistic  examples. 

In  this  paper  we  consider  the  performance  of  a  bounded  model  checker,  BMC  [2],  in  verifying  twenty 
safety  properties  on  five  complex  circuits  from  a  current,  Power  PC  microprocessor.  By  any  reasonable 
measure,  BMC  consistently  outperformed  the  BDD  based  symbolic  model  checker,  SMV  [15].  SMV  failed 
to  terminate  on  all  but  one  example,  and  BMC  was  much  faster  on  that  example.  In  part,  this  perfor¬ 
mance  gain  was  obtained  by  utilizing  a  new  bounded  cone  of  influence  reduction  specifically  designed  for 
bounded  model  checking.  The  new  reduction  technique  eliminates  unnecessary  variables  and  clauses  in 
the  CNF  (conjunctive  normal  form)  formula  used  by  the  satisfiability  solver.  In  the  following  sections, 
we  explain  how  this  new  reduction  technique  works,  and  describe  in  detail  the  experimental  results. 
We  believe  that  these  results  should  go  a  long  way  towards  confirming  that  bounded  model  checking 
can  efficiently  handle  realistic  examples.  Since  we,  ourselves,  are  convinced  of  this,  we  propose,  here,  a 
methodology  for  using  bounded  model  checking  as  a  supplement  to  traditional  validation  techniques  in 
industry.  We  believe  that  this  methodology  can  be  introduced  in  a  fully  automated  way  today,  with  the 
bounded  model  checking  technology  that  is  at  hand.  Further,  we  feel  that  this  represents  a  significant 
milestone  in  the  progress  of  formal  verification  techniques. 

Our  paper  is  organized  as  follows:  In  Section  2,  we  describe  the  model  of  computation  in  use  through¬ 
out  the  paper,  and  give  a  brief  explanation  of  how  bounded  model  checking  works.  In  Section  3  we 
describe  the  bounded  cone  of  influence  reduction.  Section  4  is  the  heart  of  the  paper,  where  we  discuss 
the  experiments  we  performed,  using  bounded  model  checking  to  check  safety  properties  of  a  Power  PC 
microprocessor.  Based  on  the  encouraging  results  we  obtained,  we  propose,  in  Section  5,  a  methodology 
for  fully  automating  this  type  of  validation,  in  an  industrial  environment.  The  paper  concludes  in  Section 
6  with  a  brief  summary  and  some  directions  for  the  future. 

2  Preliminaries 

In  this  section  we  give  some  basic  definitions  and  briefly  recall  the  concepts  of  bounded  model  checking 
presented  in  [2]. 
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2.1  Models,  Kripke  Structures  and  LTL 

We  first  consider  models  that  can  be  represented  by  a  set  of  initial  and  next  state  functions,  and  the 
Kripke  structures  that  can  be  derived  from  them.  The  techniques  presented  in  this  paper,  however,  can 
be  lifted  to  a  more  general  description  of  state  transition  systems,  and  we  go  on  to  describe  one  such 
system,  where  a  propositional  constraint  is  incorporated  into  a  Kripke  structure. 

Definition  1  (Model).  Let  X  =  {xi, . . .  ,xn,xn+i, . . .  ,xm}  be  a  set  of  m  Boolean  variables,  and  let 
F  =  {/i,  • .  • ,  fn}  be  a  set  of  n  <  m  Boolean  transition  functions,  each  a  function  over  variables  in  X. 
Finally,  let  R  =  {ri,...,rn}  be  a  set  of  initialization  functions,  each  a  function  over  variables  in  X. 
Then  M  =  ( X,F,R )  is  called  a  model. 

From  a  model  M  we  can  construct  a  Kripke  structure  K  =  (S,  T,  I)  in  the  following  way.  The  set  of 
states,  S,  is  encoded  in  terms  of  the  set  of  variables  X,  from  the  model  M,  i.e.,  S  =  {0,  l}m.  A  state, 
s  €  S,  then,  is  an  assignment  to  the  variables  in  X.  A  state  may  also  be  considered  a  vector  of  these 
m  variables,  and  we’ll  define  such  a  vector  as  x  =  (xi, . . .  ,x„,xn+i,. .  .,xm).  Note  that  we  use  italic 
identifiers  s, so, . . .  for  states  (elements  of  S  =  {0,  l}m)  and  overhead  bar  identifiers  s,sb  for  vectors  of 
Boolean  variables.  We  define  present  and  next  state  versions  of  the  variables  in  X,  where  next  state 
variables  are  denoted  by  primes,  e.g.,  x'-.  We  define  the  transition  relation,  T  C  S  x  S  and  the  set  of 
initial  states  I  C  S  by  way  of  their  characteristic  functions: 

n  n 

T(s,s')  :=  /\  x'j  *+  fj(x)  and  I(s)  :=  Xj  <-»  r,(x) 
j= 1  j=i 

Here,  fj  and  Tj  are  the  transition  and  initialization  functions,  respectively,  of  the  jth  element  of  the 
variable  vector,  x.  Note  that  transition  and  initialization  functions  are  specified  for  only  the  first  n 
elements  from  x.  Elements  n  +  1  through  m  of  x,  are  meant  to  represent  primary  inputs  (Pis),  for 
instance,  primary  inputs  to  a  circuit  which  we  might  represent  with  a  model  and  a  Kripke  structure. 

In  practice,  we  will  often  want  to  consider  a  set  of  propositional  constraints  imposed  on  a  system.  For 
instance,  in  Section  5,  we  consider  constraints  on  state  variables  representing  primary  inputs  to  a  circuit. 
Given  a  model,  M  =  ( X,F,R ),  a  Kripke  structure,  K  =  (S,T,  J),  derived  from  M,  and  a  constraint 
function,  c,  over  M’s  set  of  variables,  A",  we  can  derive  a  constrained  Kripke  structure,  Kc  =  ( S,TC,IC ), 
by  conjoining  c  with  the  characteristic  function  of  the  transition  relation  and  with  the  initial  states 
predicate  of  K : 

Tc(s,s')  :=  T(s,s')  Ac(s)  Ac(s')  and  Ic(s)  :=  I(s)  A  c(s) 

It  is  clear  that  c  is  an  invariant  for  Kc,  since  all  initial  states  satisfy  c,  and  all  successors  of  all  states 
satisfying  c  satisfy  c  as  well.  It  should  be  noted  that,  in  general,  imposing  a  constraint  may  produce 
states  with  no  valid,  outgoing  transitions,  or  may  even  produce  an  empty  set  of  states.  This  is  not 
of  major  concern  to  us,  since  such  conditions  (a)  can  be  easily  detected,  and  handled  as  considered 
appropriate  and  (b)  are  unlikely  to  occur  using  constraint  functions  over  state  variables  representing 
inputs  to  digital  circuits,  which  is  our  intention.  Digital  hardware  has  the  property,  at  the  circuit  level, 
of  always  transitioning  to  a  next  state  upon  all  input  combinations.  To  create  a  “lockup”  condition  where 
no  next  states  are  possible  in  digital  hardware  one  would  need  to  remove  all  input  stimuli.  It  is  unlikely 
that  a  constraint  function  would  be  proposed,  in  practice,  that  did  this. 

As  a  specification  logic  we  use  Linear  Temporal  Logic  (LTL)  with  state  variables  as  atomic  proposi¬ 
tions.  Therefore  we  do  not  need  to  include  a  labeling  function.  In  this  paper  we  consider  a  subset  of  LTL 
having  only  unary  temporal  operators:  the  next  operator  X,  the  eventually  operator  F,  and  the  globally 
operator  G.  Additionally,  formulae  are  assumed  to  be  in  negation  normal  form  (NNF),  i.e.,  negations 
appear  only  in  front  of  atomic  propositions. 

We  also  adopt  the  usual  semantics  with  respect  to  paths  (see  [2]):  A  path  tt  =  (s0,  si, . . .)  in  a  model 
M  is  an  infinite  sequence  of  states  in  the  corresponding  Kripke  structure  K  with  the  restriction  that 
T(si,Si+ 1)  holds  for  all  i  6  IN.  In  addition  we  call  tt  initialized  if  J(s0)  holds.  We  use  the  abbreviation 
7r*  :=  (sj,  Sj+i, . . .).  It  is  often  convenient  to  discuss  the  value  of  a  component  variable  from  the  underlying 
vector,  x,  in  a  certain  state  along  a  path.  The  assignment  to  element  Xj  of  x  in  state  Si  along  path  tt  is 
written  as  Sj(j). 
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Definition  2.  For  an  LTL  formula  f  and  a  path  ir  in  a  model  M  we  define  the  relation  tt  \=  f  by 


7T  (=  (-■) Xj 

iff 

so  O’)  =  true  (false) 

TrhX/ 

iff 

=/ 

*  N  /Vj 

iff 

7T  f=  /  or  7T  1=  g 

tt^F/ 

iff 

3*  €  IN.  tt4  |=  / 

7r  |=  fAg 

iff 

7r  | =  /  and  7r  |=  g 

*\ =Gf 

iff 

Vi  €  IN.  71-*  |=  / 

We  write  M  j=  E /  iff  there  exists  an  initialized  path  tt  in  M  with  7 r  (=  /.  Determining  whether  M  \= 
E /  is  called  the  existential  model  checking  problem.  Similarly,  we  write  M  |=  A /  iff  for  all  initialized 
paths  7r  1 =  /  and  this  defines  the  universal  model  checking  problem.  Note  that  the  existential  model 
checking  problem  can  be  used  to  solve  the  universal  model  checking  problem:  M  [=  E /  iff  M  ^  A -»/. 


2.2  Bounded  Model  Checking 

In  bounded  model  checking  [2]  the  universal  model  checking  problem  is  handled  by  checking  the  dual 
of  the  formula,  i.e.,  by  solving  the  existential  LTL  model  checking  problem.  This,  in  turn,  is  translated 
into  a  propositional  satisfiability  test.  Efficient  satisfiability  solvers  (SAT)  such  as  [10,  20]  are  used  to 
perform  the  satisfiability  test.  In  traditional  symbolic  model  checking  [5,  15]  ordered  binary  decision 
diagrams  [3]  are  the  underlying  data  structure. 

The  bounded  model  checking  procedure  of  [2]  works  as  follows.  Given  an  LTL  formula  /,  a  model  M 
and  a  bound  fee] N  we  generate  a  propositional  formula  such  that  every  satisfying  assignment  of  this 
formula  can  be  interpreted  as  a  prefix  of  length  fe  of  a  path  7 r  that  is  a  witness  for  f  (tt  \=  E /).  Let  d 
be  the  diameter  of  M  (see  below).  If  all  such  generated  formulae  are  unsatisfiable  for  all  k  <  d,  then  we 
have  proven  that  /  is  not  existentially  valid  in  M  (M  E /). 

In  generating  the  propositional  formula  we  first  introduce  fe  4-  1  vectors  of  state  variables,  each 
representing  a  state  in  the  prefix  of  length  fe,  s”o,  •  •  • ,  sT .  We  use  the  notation  that  si(j )  denotes  the  copy 
of  the  jth  state  variable,  Xj7  in  any  such  vector,  S{.  Then  the  transition  relation  is  unrolled  fe  times, 
substituting  for  states  the  appropriately  labeled  state  variable  vectors: 

lMlk  :=  I(s0)  AT(s0,Si)  A  ■  ■  ■  /\T(sk-i,sk)  (1) 

An  assignment  to  the  propositional  variables  in  (1)  corresponds,  then,  to  a  prefix  of  fe  +  1  states  along 
an  initialized  path  7r  in  K.  This  initialized  path  7r  can  be  extended  to  an  infinite  path  since  our  type  of 
models  are  lockup  free,  meaning  each  state  has  at  least  one  successor.  Every  initialized  path  can  also  be 
interpreted  as  an  assignment  that  satisfies  (1),  in  which  case  we  write  7r([[  M  ]]*.)  =  true. 

If  the  specification  is  a  simple  safety  property  Gp  where  p  is  a  propositional  formula  then  the  negated 
formula  for  which  we  search  for  a  witness  is  /  =  F q,  where  q  is  a  propositional  formula  in  NNF  that  is 
equivalent  to  A  satisfying  assignment  to  (1)  can  be  extended  to  a  path  that  is  a  witness  for  /  (and  a 
counterexample  for  Gp)  iff  q  holds  at  one  of  the  fe  + 1  states  or  equivalently  the  assignment  also  satisfies: 

I  /  ]fc  :=  «(»o)  V  q(si)  V  •  --qisk)  (2) 

With  this  notation  we  can  formulate  the  following  theorem.  It  shows  that  bounded  model  checking 
is  correct  and  complete  for  universal  model  checking  of  simple  safety  properties  or  equivalently  for 
existential  model  checking  of  simple  liveness  properties. 

Theorem  3.  Let  f  =  Fq  be  an  LTL  formula  with  q  a  propositional  formula  then  M  \=  E /  iff  there 
exists  fe  €  IN  for  which  has  a  satisfying  assignment. 

For  general  LTL  formulae  the  translation  is  more  involved.  Particularly,  back  loops  from  the  last  state 
to  a  previous  state  have  to  be  considered  for  liveness  properties  [2].  We  omit  this  discussion,  since  our 
focus  here  is  on  safety  properties. 

The  final  step  is  to  translate  the  generated  propositional  formula  into  CNF  (conjunctive  normal  form) 
since  several  SAT  tools,  such  as  [19,  21],  expect  their  input  in  this  format.  The  basic  mechanism  for 
this  translation  is  to  introduce  a  new  variable  for  each  subformula  and  add  constraints  in  clause  form 
that  relate  these  variables.  This  is  done  such  that  the  resulting  CNF  is  satisfiable  iff  the  original  formula 
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is  satisfiable  [1,  17].  The  translation  is  linear  in  the  size  of  the  original  formula.  As  an  example,  if  the 
generated  propositional  formula  contains  a  subformula  g  «-»  gx  A  g2  and  it,  iti  and  it2,  in  that  order,  are 
the  propositional  variables  introduced  for  g ,  gx  and  g2  then  we  add  the  constraint  (it  ->  ux)  A  (it 
u2)  A  (ui  Au2  -4  u)  which  is  equivalent  to  (-»u  Viti)  A  (-i«V«2)  A  (-»ui  V-m2  V«)  in  CNF.  For  other 
boolean  operators  similar  constraints  are  used. 

To  prove  that  a  safety  property  A Gp,  with  p  a  propositional  formula,  is  valid  in  a  model  M,  we  have 
to  show  that  no  witness  for  the  dual  formula  EF ->p  exists  for  a  large  enough  k .  This  k  can  be  chosen 
as  the  minimal  number  of  steps  in  which  every  state  can  be  reached.  Alternatively,  we  can  compute  the 
diameter  of  M,  a  hopefully  small  upper  bound  on  this.  The  diameter  is  defined  as  follows.  Let  M  be  a 
model  such  that  for  all  reachable  states  s  and  t  for  which  t  is  reachable  from  s  there  exists  a  path  from 
s  to  t  with  at  most  d  -  1  intermediate  states.  Then  d  is  called  the  diameter  of  M. 

The  check  that  a  given  model  M  has  diameter  d  can  be  formulated  as  a  validity  test  of  a  Quantified 
Boolean  Formula  (QBF).  However  with  SAT  we  can  only  check  the  validity  of  propositional  formulae. 
An  alternative  is  to  prove  an  upper  bound  on  the  diameter  which  is  called  the  recurrence  diameter  [2]. 
The  recurrence  diameter  is  defined  as  the  least,  number  r  such  that  at  most  r  consecutive  states  in  a 
path  are  different.  It  is  the  least  number  r  for  which  the  following  propositional  formula  is  valid: 

T(s0,Si)  A  •  AT(sr_i,Sr)  — ►  \/  Si  =  Sj 

i<j 

Note  that  in  this  case  initial  state  constraints  on  s”0  can  be  included  as  well. 

3  Cone  of  Influence 

The  Cone  of  Influence  Reduction  is  a  well  known  technique1  that  reduces  the  size  of  a  model  if  the 
propositional  formulae  in  the  specification  do  not  depend  on  all  state  variables  in  the  structure.  For 
bounded  model  checking  this  technique  can  be  specialized  to  the  Bounded  Cone  of  Influence  Reduction , 
described  below. 

3.1  Classical  Cone  of  Influence  Reduction 

The  basic  idea  of  the  Cone  of  Influence  (COI)  reduction  is  to  construct  a  dependency  graph  of  the  state 
variables,  and  then  traverse  it  starting  from  the  variables  in  the  specification.  The  set  of  state  variables 
reached  during  this  traversal  is  called  the  COI  of  the  variables  of  the  specification.  In  this  paper,  we 
call  this  the  “classical”  COI  reduction,  to  differentiate  it  from  the  bounded  version,  which  we  introduce 
later.  The  variables  not  in  the  classical  COI  can  not  influence  the  validity  of  the  specification  and  can 
therefore  be  removed  from  the  model. 

Let  the  model  M  be  given  as  in  Definition  1.  Then,  define  the  immediate  dependency  set,  dep(xj ), 
of  a  state  variable  Xj  as 

dep(xj)  :=  {or/  |  xi  occurs  in  fj} 

where  fj  is  the  transition  function  for  xj.  The  Cone  of  Influence  (COI)  coi(xj)  of  a  state  variable  xj  is 
the  least  set  of  variables  that  contains  xj  and  includes  dep(xi)  for  all  xi  €  coi(xj).  The  COI  of  an  LTL 
formula  /  is  defined  as  coi(f)  :=  \J{coi(xj)  |  xj  €  var(f)}  where  var(f)  is  the  set  of  variables  that  occur 
in  /.  Obviously,  coi(xj)  is  the  solution  of  a  least  fixpoint  equation.  With  respect  to  a  particular  LTL 
formula  /  we  define  a  reduced  model  coi(M ,  /)  as  cm(M,  /)  :=  (coi(x),coi(t)>  coi(r))  where  all  the  state 
variables  not  in  the  COI  and  their  corresponding  transition  and  initialization  functions  are  removed: 

coi(x)  =  (xn>...,*Tp),  coi(t)  =  (/n, . . •  ,/r„),  coi(r)  =  (rTl,...,rTp) 

with  {xTl . . . . ,  xTp }  =  coi(f).  The  following  theorem,  given  without  proof,  allows  us  to  reduce  the  size  of 
the  model  in  model  checking  if  the  formula  does  not  depend  on  all  state  variables: 

Theorem  4.  M  (=  /  iff  coi (M,  /)  |=  / 

1  Cone  of  influence  reduction  seems  to  have  been  discovered  and  utilized  by  a  number  of  people,  independently. 
We  note  that  it  can  be  seen  as  a  special  case,  of  Kurshan’s  localization  reduction  [13]. 
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3.2  Bounded  COI  Reduction 


The  Bounded  Cone  of  Influence  Reduction  is  based  on  the  observation  that,  for  any  state  s*  along  a 
path,  the  value  of  an  arbitrary  state  variable,  x ,  in  the  associated  state  variable  vector,  s*,  can  depend 
only  on  state  variables  in  state  variable  vector  sj,  with  j  <  k .  In  addition  only  the  copies,  in  state 
variable  vector  s*_i,  of  the  variables  that  are  in  dep(x),  can  directly  influence  the  value  of  x  in  s'*.  For 
instance  if  x  is  the  only  state  variable  appearing  in  the  specification  for  which  COI  is  being  performed, 
then  all  variables  other  than  the  copy  of  x  and  those  in  dep(x)  can  be  removed  from  s*_i.  Likewise,  their 
corresponding  transition  functions  in  T(s*_i,s“*)  can  be  removed.  Classical  COI  reduction  would  miss 
such  reduction  possibilities.  This  argument,  that  the  only  variables  in  a  preceding  state  that  need  to  be 
preserved  are  those  in  the  immediate  dependency  set  of  variables  in  a  current  state,  can  be  repeated, 
working  backwards,  until  the  initial  state  is  reached.  This  is  the  case,  at  least,  if  we  are  only  looking  for 
violations  of  a  safety  property  at  state  s*  (in  which  case,  we’d  be  replacing  (2)  by  q( s*)). 

For  instance  consider  the  following  model  with  five  state  variables  x\ , . . . ,  £5  and  transition  functions 

fl  =  1,  f2=  Xl,  h=X2,  /4  =  S3,  /5=Z4 

Assume  the  state  variables  are  initialized  to  constants: 

n  =0,  r2  =  1,  r3  =  1,  r4  =  1,  r5  =  1 

This  model  has  only  one  execution  sequence  in  which  the  0  value  is  moved  from  xi  to  £5  over  £2,  £3 
and  £4.  After  the  0  has  reached  £5  it  vanishes  in  the  next  step  and  all  state  variables  stay  at  1. 

01111  10111  ->  11011  11101  ->  11110  11111  ->  ••• 

If  the  property,  /,  is  the  safety  property  that  £4  is  always  true  (/'=  G£4),  classical  COI  reduction 
would  remove  just  £5.  Now,  a  counterexample  for  this  property  can  be  found  by  unrolling  the  transition 
relation  three  times  (k  =  3).  Let  us  assume  that  we  only  want  to  check  for  -i£4  in  the  last  state  S3.  To 
apply  bounded  COI  we  observe  that  £4  in  S3  only  depends  on  £3  in  s%  which  in  turn  depends  on  £2 
in  si.  The  value  of  £2  in  si  only  depends  on  the  initial  value  of  £0.  Therefore  we  can  remove  all  other 
variables  and  their  corresponding  transitions.  For  example,  in  the  transition  from  si  to  s“2,  the  variable 
£1  is  not  pertinent,  and  can  be  eliminated. 

In  this  example,  the  application  of  bounded  COI  reduction  would  result  in  the  following  propositional 
formula: 

so(l)  ^  0  A  Si (2)  so(l)  A  s"2(3)  s’o(2)  A  £3(4)  <->  so(3)  A  ->53(4) 

This  formula  is  satisfiable,  and  its  only  satisfying  assignment  can  be  extended  to  a  counterexample  which 
is  the  only  execution  sequence  falsifying  the  original  formula.  Without  bounded  COI,  12  more  equalities 
would  have  been  necessary. 

For  a  formal  treatment  of  the  bounded  COI  reduction  we  define  a  special  type  of  immediate  depen¬ 
dency  set,  bdep{si{j))1  for  the  components  Si(j)  of  the  state  variable  vectors  representing  a  prefix  of  a 
path, 

bdep(si(j))  :=  if  i  =  0  then  0  else  {s*_i(Z)  |  Xi  €  dep(xj)} 

The  bounded  COI  bcoi(si(j))  of  a  component  of  a  state  variables  vector,  sflj)  is  defined,  recursively,  as 
the  least  set  of  variables  that  includes  Si(j)  and  includes  all  elements  from  the  immediate  dependency 
sets  of  all  variables  in  bcoi(si(j)).  Finally  we  define  the  bounded  COI  of  an  LTL  formula  /  as  bcoi(/)  := 
\J{bcoi(si(j))  |  Si(j)  €  var([[  /  ])*,)}.  In  (1)  we  can  now  remove  all  factors  of  the  form  sflj)  o  . . .  where 
Si(j)  $  bcoi(f)  and  derive  (for  simplicity,  we  do  not  remove  initial  state  assignments): 

l  M  ]£coi(/)  :=  I {s0)  A  T0(so,  si)  A  •  •  •  A  Tk.x (sk-i, ft) 

where 

Ti-i(§i-i,Si)  :=  f\  Si(j)  O  /j(sj_i)  for  i  =  1 . . .  k 

s"i(i)ebcoi(/) 

The  correctness  of  the  bounded  COI  reduction  is  formulated  in  the  following  theorem  (compare  with 
theorem  3). 
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Theorem  5.  Let  f  =  Fq  be  an  LTL  formula  with  q  a  propositional  formula.  Then  I  /  ]]*  A  [[  M  is 
satisfiable  iff  |  A  [[  M  is  satisfiable . 

In  the  bounded  model  checker,  BMC,  we  have  implemented  bounded  COI  as  follows.  After  the 
propositional  formula  has  been  generated,  equalities  are  removed  that  do  not  contain  any  variable  of  the 
bounded  COI  or  represent  an  assignment  of  a  variable  not  included  in  the  bounded  COL  By  the  latter, 
we  refer  to  the  fact  that  all  equalities  in  the  propositional  formula  generated  by  BMC  are  terms  of  the 
form  Si(j)  +*  fj(si- 1),  where  fj  is  the  transition  function  of  Si(j).  This  term  would  be  dropped  if  Si(j) 
was  not  in  the  bounded  COL  In  BMC,  we  added  an  integer  array  of  size  k  + 1  for  each  variable  x  £  x.  In 
this  array,  entry  i  is  set  to  1  during  the  dependency  analysis  iff  the  copy  of  the  state  variable  in  the  ith 
state  is  in  the  bounded  COI  of  the  specification.  The  dependency  analysis  uses  the  same  graph  structure 
as  classical  COI  to  represent  dependencies  between  variables.  The  information  stored  in  the  array  is 
generated  in  a  depth  first  traversal  through  this  graph  while  maintaining  a  counter  that  represents  the 
present  level  in  the  traversal. 

For  liveness  properties  a  back  loop  from  the  last  state,  represented  by  s*,  to  a  previous  state,  $/,  has 
to  exist  [2].  Thus,  sjt(j)  has  to  be  included  into  the  bounded  COI  iff  si(j)  is  contained  in  the  bounded 
COL  Since  our  focus  is  on  safety  properties,  we  omit  further  discussion  of  bounded  COI  for  liveness 
properties. 

4  Experiments 

We  ran  experiments  using  the  bounded  model  checker,  BMC,  to  test  out  the  ideas  set  forth  in  this 
paper.  BMC  accepts  files  in  a  subset  of  the  input  format  used  by  the  widely  known  SMV  model  checker 
[15].  The  experiments  were  run  on  subcircuits  from  a  PowerPC  microprocessor  currently  under  design  at 
Motorola’s  Somerset  design  center,  in  Austin,  Texas.  We  believe  that  the  results  demonstrate  the  utility 
not  only  of  bounded  COI,  but  also  of  bounded  model  checking  in  an  industrial  setting. 

While  a  processor  is  under  design  at  Somerset,  designers  insert  assertions  into  the  RTL  simulation 
model.  These  Boolean  expressions  are  important  safety  properties,  i.e.,  they  should  hold  at  all  time 
points.  If  an  assertion  is  ever  false  during  simulation,  an  immediate  error  is  flagged.  In  our  experiments, 
we  checked,  with  BMC,  20  assertions  chosen  from  5  different  processor  design  blocks.  We  turned  each 
into  an  AG p  property,  where  p  was  the  original  assertion.  For  each  of  these,  we: 

1.  Checked  whether  p  was  a  tautology. 

2.  Checked  whether  p  was  otherwise  an  invariant. 

3.  Checked  whether  AG p  held  for  various  time  bounds,  k ,  from  0  to  20. 

The  gate  level  netlist  for  each  of  the  5  design  blocks  was  translated  into  an  SMV  file,  with  each 
latch  represented  by  a  state  variable  having  individual  next  state  and  initial  state  assignments.  For  the 
latter,  we  assigned  the  0  or  1  values  we  knew  the  latches  would  have  after  a  designated  power-on-reset 
sequence2  Primary  inputs  to  design  blocks  were  modeled  as  unconstrained  state  variables,  i.e.,  having 
neither  next  state  nor  initial  state  assignments. 

For  combinational  tautology  checking  we  eliminated  all  initialization  statements  and  ran  BMC  with 
a  bound  of  k  =  0,  checking  the  inner,  propositional  formula,  p ,  from  each  of  the  AG p  specifications. 
Under  these  conditions,  the  specification  could  hold  only  if  p  was  true  for  all  assignments  to  the  state 
variables  in  its  support. 

Invariance  checking  entails  checking  whether  a  propositional  formula  holds  in  all  initial  states  and  is 
preserved  by  the  transition  relation.  We  ran  BMC  on  input  files  with  all  initialization  assignments  intact, 
for  each  design  block  and  each  p  in  each  AGp  specification,  with  a  time  bound  of  k  =  0.  This  determined 
whether  each  formula,  p,  held  in  the  single,  valid  initial  state  of  each  design.  We  then  ran  BMC  in  a  mode 
in  which,  for  each  design  block  and  each  AGp  specification,  all  initialization  assignments  were  removed 
from  the  input  file,  and,  instead,  an  initial  states  predicate  was  added  that  indicated  the  initial  states 
should  be  all  those  states  satisfying  p .  Note  that,  we  did  really  believe  the  initial  states  actually  were 

2  Microprocessors  are  generally  designed  with  specified  reset  sequences.  In  PowerPC  designs,  the  resulting  values 
on  each  latch  are  known  to  the  designers,  and  this  is  the  appropriate  initial  state  for  model  checking. 
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those  satisfying  p .  Rather,  we  knew  each  design  block  had  only  a  single,  valid  initial  state,  which  may 
or  may  not  satisfy  p.  This  technique  was  simply  a  way  of  getting  the  BMC  tool  to  check  all  successors 
of  all  states  satisfying  p,  in  one  time  step.  The  time  bound,  fc,  was  set  to  1,  and  the  AG p  specification 
was  checked.  If  the  specification  held,  this  showed  p  was  preserved  by  the  transition  relation,  since  AG p 
could  only  hold,  under  these  circumstances,  if  the  successors  of  every  state  satisfying  p,  also  satisfied 
p.  Note  that  AG p  not  holding  under  these  conditions  could  possibly  be  due  exclusively  to  behaviors  in 
unreachable  states.  For  instance,  if  an  unreachable  state,  s,  existed  which  either  did  not  satisfy  p  or  had 
a  successor,  s',  which  did  not,  then  the  check  would  fail.  Therefore,  this  technique  can  only  show  that 
p  is  an  invariant,  but  cannot  show  that  it  is  not.  However,  we  found  this  type  of  invariant  checking  to 
be  very  inexpensive  with  bounded  model  checking,  and,  therefore,  very  valuable.  In  fact,  we  made  it  a 
cornerstone  of  the  methodology  we  recommend  in  Section  5. 

The  output  of  BMC  is  a  Boolean  formula  in  CNF  (conjunctive  normal  form)  that  is  given  to  a 
satisfiability  solver.  In  these  experiments,  we  used  both  the  GRASP  [19]  and  SATO  [21]  satisfiability 
solvers.  When  giving  results,  we  do  not  indicate  from  which  solver  they  came,  rather,  we  just  show  the 
best  results  from  the  two. 

The  SMV  input  files  were  given  to  a  recent  version  of  the  SMV  model  checker,  in  order  to  compare  to 
BDD  based  model  checking.  We  did  20  SMV  runs,  checking  each  of  the  AG p  specifications,  separately. 
When  running  SMV,  we  used  command  line  options  that  enabled  the  early  detection,  during  reachability 
analysis,  of  false  AG p  properties.  Note  that  the  verifier  did  not  need,  under  these  conditions,  to  compute 
a  fixpoint  if  a  counterexample  existed.  This  made  the  comparison  to  BMC  more  appropriate.  We  also 
enabled  dynamic  variable  ordering  when  running  SMV. 

All  experiments  were  run  with  wall  clock  time  limits.  The  satisfiability  solvers  were  given  15  minutes 
wall  clock  time,  maximum,  to  complete  each  run,  while  SMV  was  given  an  hour  for  each  of  its  runs. 
BMC,  itself,  was  never  timed,  as  its  task  of  translating  the  design  description  and  the  specification  is 
usually  done  quite  quickly.  The  satisfiability  solving  and  SMV  runs  were  done  on  RS6000  model  390 
workstations,  having  256  Megabytes  of  local  memory. 


4.1  Environment  Modeling 

A  typical  PowerPC  microprocessor  simulation  model  can  have  hundreds  or  even  thousands  of  assertions. 
We  wanted  to  demonstrate  that  bounded  model  checking  could  quickly  prove  that  some  of  these  held, 
eliminating  the  need  to  check  them  during  simulation.  Additionally,  for  assertions  that  did  not  hold,  we 
wanted  to  demonstrate  that  useful  information  on  possible  failure  modes  could  be  generated. 

We  did  not  model  the  interfaces  between  the  subcircuits  on  which  we  ran  our  experiments  and  the  rest 
of  the  microprocessor  or  the  external  computer  system  in  which  the  processor  would  eventually  be  placed. 
This  is  commonly  referred  to  as  “environment  modeling”.  One  would  ideally  like  to  do  environment 
modeling  on  subcircuits  such  as  we  experimented  on,  since  these  are  not  closed  systems.  Rather,  they 
depend  for  their  correct  functioning  upon  input  constraints,  i.e.,  certain  input  combinations  or  sequences 
not  occurring.  The  rest  of  the  system  must  guarantee  this  [12].  However,  if  a  safety  property  holds  with 
a  totally  unconstrained  environment,  then  it  holds  in  the  real  environment.  Given  Kripke  structures  M ' 
and  M,  Mf  representing  a  design  block  with  an  unconstrained  environment  and  M  the  same  block  with 
its  real,  constrained  environment,  it  is  obvious  that  M '  simulates  M,  i.e.  M  <  Mf  in  the  simulation 
preorder.  It  has  been  shown  in  [8,  11]  that  if  /  is  an  ACTL  formula,  as  are  all  the  properties  in  these 
experiments,  then  M'  (=  /  implies  M  \=  f. 

It  is  likely  that  an  industrial  design  team  would  first  check  safety  properties  with  unconstrained 
environments,  since  careful  environment  modeling  can  be  time  consuming.  They  would  then  decide,  on 
an  individual  basis,  what  to  do  about  properties  that  failed:  invest  in  the  environment  modeling  for 
more  accurate  model  checking,  or  hope  that  simulation  will  find  any  real  violations  that  are  possible. 
Importantly,  the  model  checker’s  counterexamples  could  provide  hints  as  to  which  simulations,  on  the 
complete  design  not  just  the  subcircuit,  may  need  to  be  run.  For  instance,  the  counterexample  may  indi¬ 
cate  that  certain  instructions  need  to  be  in  execution,  certain  exceptions,  e.g.,  a  page  fault,  outstanding, 
and  so  on. 
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4.2  Experimental  Results 


As  mentioned,  we  checked  20  safety  properties,  distributed  across  5  design  blocks  from  a  single  PowerPC 
microprocessor.  These  were  all  control  circuits,  having  little  or  no  datapath  elements.  Their  sizes  were 
as  follows: 


Circuit  |  Latches  I  Pis  I  Gates  I 


bbc 

209 

479 

4852 

CCC 

371 

336 

4529 

cdc 

278 

319 

5474 

die 

282 

297 

2205 

sdc 

265 

199 

2544 

Before  COI 


Circuit  Spec  Latches  Pis 
bbc  11-41  150  |242 
ccc  1  -  2  77  207 

cdc  1-4  119  190 

die  1-6  119  170 

die  7  119  153 

sdc  1-2  113  121 

sde  1  3  I  23  15 

After  (classical)  COI 


In  the  right  table  we  report  the  sizes  of  the  circuits  after  classical  COI  reduction  has  been  applied. 
Each  AGp  specification  is  given  an  arbitrary  numeric  label,  on  each  circuit.  These  do  not  relate  specifi¬ 
cations  on  different  design  blocks,  e.g.,  specification  2  of  die  is  in  no  way  related  to  specification  2  of  sdc. 
Many  properties  involved  much  the  same  cone  of  circuitry  on  a  design  block,  as  can  be  seen  by  the  large 
number  of  specifications  having  cones  of  influence  with  the  same  number  of  latches  and  Pis.  However, 
these  reduced  circuits  were  not  identical,  from  one  specification  to  another,  though  they  shared  much 
circuitry. 

The  effectiveness  of  bounded  COI  can  best  be  measured  by  looking  at  the  CNF  output  of  BMC.  We 
ran  BMC  for  values  of  k  of  0, 1, 2, 3, 4, 5, 10, 15  and  20,  on  each  specification.  For  each  of  these,  we  had 
BMC  create  CNF  files  having  no  COI  reduction,  having  only  classical  COI,  and  having  both  classical 
and  bounded  COL 


In  the  table  labeled  “Average  Bounded  COI  Reduction”,  we  give  average  sizes  of  all  these  CNF  files, 
for  each  value  of  k.  We  summed  the  number  of  literals  and  clauses  in  all  the  CNF  files  for  each  /c,  for 
all  specification  for  all  design  blocks  for  that  k ,  and  divided  by  the  total  number  of  such  files.  While 
averaging  can  sometimes  obscure  the  common  occurrence  of  a  phenomenon,  we  performed  a  by  hand 
inspection  to  verify  this  would  not  be  the  case.  In  the  table,  we  give  the  average  number  of  literals  to 
the  left  of  a  slash,  and  the  average  number  of  clauses  to  the  right.  It  can  be  seen  that  the  advantage  of 
bounded  COI  decreases  with  increasing  k.  Intuitively,  this  is  due  to  the  fact  that,  as  we  extend  further 
in  time,  we  eventually  compute  valuations  for  all  the  state  variables  in  the  classical  cone  of  influence. 
However,  at  values  of  k  up  to  around  10,  bounded  COI  gives  distinct  benefit.  Since  we  expect  bounded 
model  checking  to  be  most  effective  at  finding  short  counterexamples,  and,  since  tautology  and  invariance 
checking  are  run  at  low  k ,  we  feel  bounded  COI  is  helping  augment  the  system’s  strengths. 

The  table  labeled  “Tautology  and  Invariance  Checking”  gives  the  results  of  these  types  of  checks 
for  each  p  from  each  AGp  specification.  These  runs  were  done  with  bounded  COI  enabled.  There  are 
columns  for  tautology  checking,  for  preservation  by  the  transition  relation  and  for  preservation  in  initial 
states.  The  last  two  must  both  hold  for  a  Boolean  formula  to  be  an  invariant.  A“Y”  in  the  leftmost  part 
of  a  column  indicates  the  condition  holding,  an  “N”  that  it  does  not,  The  center  and  rightmost  parts  of 
a  column  give  time  and  memory  usage,  respectively.  These  are  recorded  only  for  times  >  1  second,  and 
memory  usage  >  5  megabytes,  otherwise  a  appears  for  insignificant  time  and  memory.  As  can  be 
seen,  tautology  and  invariance  checking  can  be  remarkably  inexpensive.  This  is  an  extremely  important 
finding,  as  these  can  be  quite  costly  with  BDD  based  methods,  and  are  at  the  heart  of  the  verification 
methodology  we  propose  in  Section  5. 

The  result  on  bbc  specification  2  is  interesting.  This  property  is  preserved  by  the  transition  relation — 
but  does  not  hold  in  the  initial  state!  Separating  the  check  on  initial  states  from  the  check  on  the 
transition  relation  enabled  us  to  quickly  see  this.  We  were  somewhat  surprised  by  the  small  number  of 
assertions  that  were  tautologies.  We  had  expected  that  designers  would  try  to  insure  safety  properties 
held  by  relying  on  combinational,  as  opposed  to  sequential  circuitry.  However,  the  real  environment  may, 
in  fact,  constrain  inputs  to  design  blocks  combinationally  such  that  these  are  tautologies.  See  Section  5 
for  a  discussion  of  this. 
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k 

Bounded  COI 

Classic  COI 

No  COI 

□ 

137  /  449 

234  /  546 

376  /  688 

1 

1023  /  3762 

1801  /  6790 

3402  /  12749 

B 

2330  /  8946 

3367  /  13025 

6426  /  24801 

B 

3755  /  14631 

4931  /  19259 

9450  /  36851 

B 

5259  /  20608 

6496  /  25492 

12473  /  48901 

B 

6820  /  26821 

8060  /  31725 

15496  /  60951 

ED 

ED 

22466  /  89153 

23706  /  94057 

45730  /  181452 

m 

30288  /  120319 

31529  /  125223 

60846  /  241702 

Average  Bounded  COI  Reduction 


Circuit 

Spec 

Tautology 

Tran  RePn 

Init  State 

bbc 

1 

N  -  - 

N-- 

Y  -  - 

bbc 

2 

N  -  - 

Y  -  - 

N  -  - 

bbc 

3 

N  -  - 

N  -  - 

Y  -  - 

bbc 

4 

N  -  - 

N  -  - 

Y  -  - 

ccc 

1 

N  -  - 

N  -  - 

Y  -  - 

2 

N  -  - 

N  -  - 

Y  -  - 

a 

N  -  - 

N  -  - 

Y  -  - 

Y  -  - 

Y  -  - 

Y  -  - 

Y  -  - 

Y  -  - 

Y  -  - 

4 

Y  -  - 

Y  -  - 

Y  -  - 

1 

N  -  - 

N  -  - 

Y  -  - 

2 

N  -  - 

■sn 

Y  -  - 

die 

3 

N  -  - 

WEBBSM 

Y  -  - 

| 

4 

N  -  - 

N  -  - 

Y-- 

die 

5 

N  -  - 

N  -  - 

Y  -  - 

die 

6 

N  -  - 

.N  -  - 

Y  -  - 

die 

7 

N  -  - 

N  -  - 

Y  -  - 

sdc 

1 

N  -  - 

Y  /  15  /  5 

Y  -  - 

sdc 

2 

N  -  - 

N  /  60  /  6.5 

Y  -  - 

sdc 

3 

N  -  - 

N  15- 

N  -  - 

Tautology  and  Invariance  Checking 


circuit 

long  k 

vars 

clauses 

time 

mem 

holds 

fail  k 

wivm 

1 

4 

7873 

30174 

35.4 

NR 

Y 

2 

15 

34585 

93922 

5.5 

84 

N 

0 

■>!>« 

3 

KB 

16814 

63300 

58 

NR 

Y 

4 

i m 

9487 

35658 

18 

NR 

Y 

1 

9396 

40450 

1.3 

36 

N 

i 

2 

5 

9148 

38841 

1.4 

39 

N 

1 

ede 

1 

20 

49167 

207764 

128 

77 

N 

2 

ede 

2 

20 

50825 

213137 

4.7 

NR 

Y 

ede 

D 

20 

0] 

213614 

4.7 

NR 

Y 

ede 

D 

20 

EftESSn 

212406 

4.8 

NR 

Y 

mm 

1 

18378 

71291 

2.9 

64 

N 

2 

mm 

B 

18024 

69830 

2,8 

63 

N 

2 

mm 

B 

20 

ream 

68333 

2.6 

60 

N 

2 

mm 

4 

69942 

2.73 

61 

N 

1 

mm 

ES 

18378 

71291 

2.9 

60 

N 

2 

mm 

B 

17712 

68714 

2.7 

NR 

N 

2 

16217 

63781 

2.4 

64 

N 

0 

4 

5554 

20893 

72 

14 

Y 

4 

5545 

20841 

548 

21 

Y 

mm 

4119 

:  15168 

- 

3 

N 

0 

Highest  k  Values 


The  table  labeled  “Highest  k  Values”  shows  the  results  of  increasing  the  time  bound,  k.  These  runs, 
again,  were  with  bounded  COL  We  ran  to  large  k  even  after  finding  counterexamples,  or  finding  that  the 
properties  were  invariants,  at  lower  k.  We  did  so  simply  to  get  statistics  on  runs  with  large  k  values.  We 
found  that  the  satisfiability  solving  went  quickly  at  high  values  of  k  if  counterexamples  existed  at  low 
values  of  k  or  if  the  property  was  an  invariant.  While  these  are  quite  different  outcomes,  we  surmised 
that,  in  both  cases,  checking  satisfiability  might  be  much  easier. 

In  the  table  for  the  different  k  runs,  NR  means  not  recorded  (data  lost).  It  was  sometimes  difficult 
to  obtain  memory  usage  statistics  during  satisfiability  solving;  but,  it  should  be  kept  in  mind  this  often 
does  not  exceed  that  needed  to  store  the  CNF  formula.  Time  is  given  in  seconds,  memory  usage  in 
megabytes,  with  dashes  appearing  where  these  were  insignificant.  The  “vars”  and  “clauses”  columns 
give  the  number  of  literals  and  clauses  in  the  CNF  file  for  the  highest  value  of  k  on  which  satisfiability 
solving  completed,  the  k  in  the  “long  k”  column.  The  time  and  memory  usage  Usings  are  for  satisfiability 
solving  on  the  CNF  file  for  this,  particular  k  value.  A  “Y”  in  the  “holds”  column  indicates  the  property 
held  through  all  values  of  k  tested,  and  an  “N”  indicates  a  counterexample  was  found.  Counterexamples 
were  found  for  12  of  the  20  properties.  When  these  were  found,  the  “fail  k”  column  gives  the  the  first 
k  at  which  a  counterexample  appeared.  Time  and  memory  consumption  are  not  listed  for  the  runs 
giving  counterexamples,  because  the  satisfiability  solving  took  less  than  a  second,  and  no  more  than  5 
megabytes  of  memory,  in  each  case! 

Lastly,  the  results  of  BDD-based  model  checking  are  that  SMV  was  given  each  of  the  20  properties 
separately,  but  completed  only  one  of  the  these  verifications.  The  19  others  all  timed  out  at  one  hour  of 
wall  clock  time,  and,  in  each  of  these  cases,  SMV  could  not  build  the  BDDs  for  the  transition  relation 
in  the  alloted  time.  SMV  was  run  when  the  Somerset  computer  network  allowed  it  unimpeded  access  to 
the  CPU  it  was  running  on;  and  still,  under  these  circumstances,  SMV  was  only  able  to  complete  the 
verification  of  sdc ,  specification  3.  Classical  COI  for  this  specification  gave  a  very  small  circuit,  having 
only  23  latches  and  15  Pis.  SMV  found  the  specification  false  in  the  initial  state,  in  approximately  2 
minutes.  Even  this,  however,  can  be  contrasted  to  BMC  needing  2  seconds  to  translate  the  specification 
to  CNF,  and  the  satisfiability  solver  needing  less  than  1  second  to  check  it! 


5  A  Verification  Methodology 

The  experimental  results  of  Section  4.2  lead  us  to  believe  that  the  checking  of  safety  properties,  an 
extremely  important  class  of  properties,  can  be  efficiently  automated  for  industrial  chip  designs.  In  what 
follows,  we  assume  a  design  divided  up  into  separate  blocks,  as  is  the  norm  with  hierarchical  VLSI 
designs.  A  methodology  we  would  recommend,  and  which  can  be  implemented  with  existing  technology, 
is  as  follows. 

-  Annotate  each  design  block  with  Boolean  formulae  that  should  hold  at  all  time  points.  Call  these 
the  block’s  inner  assertions. 

-  Annotate  each  design  block  with  Boolean  formulae  describing  constraints  which  inputs  to  that  block 
must  obey.  Call  these  the  block’s  input  constraints. 

-  Use  the  procedure  outlined  in  Section  5.2  to  check  each  block’s  inner  assertions  under  its  input 
constraints,  using  bounded  model  checking  with  satisfiability  solving.  Implement  this  as  a  program 
that  runs  as  a  background  job. 

The  goal  is  to  determine  whether,  for  each  block,  each  inner  assertion,  p,  is  an  invariant. 

The  input  constraints  would  be  written  in  terms  of  conditions  that  should  always  hold.  For  instance, 
if  circuit  inputs  a  and  b  should  never  be  true  at  the  same  time,  the  constraint  would  be  written  as 
-i(a  A  b).  Ideally,  we  would  like  to  have  design  teams  notate  sequential  input  constraints  as  well,  which 
could  be  handled  as  LTL  formulae.  But,  there  are  limitations  as  to  which  properties  bounded  model 
checking  can  currently  check,  and  we  focus  here  on  what  can  be  implemented,  today. 

The  methodology  we  outline  here  should  be  compared  to  that  proposed  in  [12],  where  input  com 
straints  were  considered  in  the  context  of  BDD  based  model  checking. 
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5.1  Modeling  Constrained  Systems 

Let  us  assume  we  have  translated  the  description  of  a  design  block,  into  a  Kripke  structure,  K.  In  the 
presence  of  propositional  input  constraints,  c,  we  need  to  check  whether  an  inner  block  assertion,  p,  is  an 
invariant  of  the  constrained  Kripke  structure ,  Kc ,  derived  from  K  as  described  in  Section  2.1.  However, 
for  bounded  model  checking,  we  need  not  form  Kc  directly,  and  can  work  with  the  unconstrained  Kripke 
structure,  K.  Note  that  unrolling  the  transition  relation  of  the  constrained  structure,  Kc,  as  per  formula 
(1)  of  Section  2.2,  is  entirely  equivalent  to  unrolling  the  transition  relation  of  the  unconstrained  structure, 
K ,  and  conjoining  each  term  with  the  constraint  function,  c,  at  each  time  step: 

l  M  :=  I  (so)  A  c(s0)  A  T($0,  *i)  A  c(si)  A  •  •  ■  A  T(sk„i ,  s~k)  A  c{s'k)  (3) 

Being  able  to  work  with  the  unconstrained  system  makes  the  implementation  simple. 

There  are  potential  limitations  to  COI  reductions  on  constrained  systems.  The  constraint  function, 
c,  may  depend  upon  variables  not  in  the  classical  COI  of  the  specification,  p.  Likewise,  when  applying 
bounded  COI,  the  constraint  function,  at  a  given  time  step,  may  depend  upon  variables  not  in  the 
bounded  COI,  at  that  time  step.  So,  it  may  be  that  variables  get  reintroduced,  via  the  constraint 
function,  that  COI  reductions,  classical  or  bounded,  would  have  removed.  However,  we  do  not  expect 
this  to  be  a  major  problem.  We  expect  most  constraints  to  be  given  as  individual  Boolean  formulae  to 
be  conjoined  together,  and  thus,  unneeded  variables  may  often  be  eliminated  by  dropping  one  or  more 
conjuncts  which  contain  only  those. 


5.2  Safety  Property  Checking  Procedure 

Let  c  be  the  block  input  constraints,  for  some  design  block,  D,  let  p  be  an  inner  block  assertion  for 
D ,  let  K  be  D’ s  unconstrained  Kripke  structure,  and  let  Kc  be  its  constrained  Kripke  structure.  When 
checking  a  specification  over  Kc ,  assume  the  transition  relation  of  K  will  be  unrolled  as  per  formula  (3), 
directly  above;  and,  when  we  checking  a  specification  over  K ,  assume  the  transition  relation  of  K  will 
be  unrolled  as  per  formula  (1)  of  Section  2.2.  The  steps  for  checking  whether  p  is  an  invariant  under  the 
block  input  constraints,  c,  are  outlined,  below. 

1.  Check  whether  p  is  a  combinational  tautology  in  K.  If  it  is,  then  p  holds  regardless  of  c,  and  we  do 
not  need  to  check  further. 

2.  Check  whether  p  is  otherwise  an  invariant  for  K.  If  it  is,  p  is  an  invariant  regardless  of  c,  and  we 
need  not  check  further. 

3.  Check  whether  p  is  a  combinational  tautology  in  the  constrained  Kripke  structure,  Kc.  If  it  is,  go  to 
step  6  to  check  c. 

4.  Check  whether  p  is  otherwise  an  invariant  for  Kc .  It  it  is,  go  to  step  6  to  check  c. 

5.  Check  if  a  bounded  length  counterexample  exists  to  AG p  in  Kc .  If  one  is  found,  there  is  no  need 
to  examine  c,  since  the  counterexample  would  exist  without  input  constraints3.  If  a  counterexample 
is  not  found,  we  do  need  to  check  c  (i.e.,  go  to  step  6).  The  input  constraints  may  need  to  be 
reformulated  and  the  check  on  p  in  Kc  repeated,  i.e.,  this  procedure  repreated,  starting  at  step  3. 

6.  Check  the  input  constraints,  c,  for  being  an  invariant  of  design  blocks  pertinent  to  it  (explained 
below). 

Inputs  that  are  constrained  in  one  design  block,  A,  will,  in  general,  be  outputs  of  another  design  block, 
B.  To  check  A1  s  input  constraints,  we  turn  them  into  inner  assertions  for  design  block  B ,  and  use  the 
procedure  outlined  above  to  check  them.  One  must  take  precautions,  here,  against  circular  reasoning. 
Eventually,  a  chain  of  assumptions  must  be  guaranteed  by  discharging  the  last  unconditionally.  The 
detection  of  circular  reasoning  is  possible  to  automate,  however,  and  so  should  not  be  a  barrier  to  using 
this  methodology. 

There  are  two  reasons  to  check  both  the  unconstrained  and  constrained  systems,  as  we  do  above: 

1.  It  may  not  be  necessary  to  check  c,  if  all  of  a  block’s  inner  assertions,  p,  pass  on  step  1  or  2. 

3  This  is  implied  by  the  theorems  for  ACTL  formulae  in  [8,  11],  which  we  refered  to  in  Section  4.1 
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2.  It  may  be  useful  to  know  which  inner  assertions  are  invariants  regardless  of  c. 

Regarding  the  last  point,  it  is  comforting  to  know  that  a  design  block’s  correctness  is  independent  of 
behaviors  at  its  inputs.  In  fact,  such  independence  may  even  be  required  for  some  design  blocks. 

In  the  experiments  of  Section  4.2,  we  could  not  follow  the  above  procedure,  as  we  did  not  have  a 
list  of  input  constraints.  But,  the  ease  with  which  we  carried  out  tautology  and  invariance  checking 
indicates  that  the  above  is  entirely  feasible.  It  should  be  noted  that  bounded  COI  is  most  effective  at 
low  k  values,  and  so  steps  1  through  4,  above,  benefit  a  great  deal  from  this  optimization.  This  would  be 
important  when  hundreds  of  safety  properties  need  to  be  checked  at  frequent  intervals.  Searching  for  a 
counterexample,  step  5,  may  become  CPU  and  memory  intensive  at  high  k  values;  however,  this  can  be 
arbitrarily  limited,  in  order  to  check  a  large  number  of  properties.  For  instance,  we  set  wall  clock  time 
limits  in  our  experiments.  It  is  expected  that  design  teams  would  operate  in  this  manner,  i.e.,  give  a 
percentage  of  limited  resources  to  formal  verification,  and  then  hope  that  simulation  would  complement 
this  effort  with  the  remainder  of  available  resources. 

6  Conclusion 

In  this  paper,  we  have  outlined  a  specialized  version  of  cone  of  influence  reduction  for  bounded  model 
checking.  The  concept  of  bounded  model  checking  is  just  beginning  to  be  explored,  and  we  expect  other 
reduction  techniques  will  be  found.  In  our  future  research,  we  will  seek  these  out. 

We  were  fortunate  to  have  had  access  to  a  large  and  complex  PowerPC  microprocessor  design  for  our 
experiments.  Previous  experiments  with  bounded  model  checking  using  satisfiability  solving  had  been 
confined  to  academic  examples,  and  could  possibly  have  been  dismissed  as  unrealistic.  The  present  set 
of  experimental  results,  however,  are  compelling.  They  tell  us  that,  for  some  types  of  properties,  these 
new  techniques  have  increased  the  efficiency  of  model  checking  by  orders  of  magnitude,  with  respect  to 
time  and  memory  usage.  Our  results  using  BDD  based  model  checking,  in  which  the  SMV  model  checker 
failed  to  complete  on  all  but  one  of  20  examples,  accentuate  this  difference.  We  still  expect,  however,  that 
BDD-based  model  checking  methods  will  have  a  place  in  the  overall  verification  “arsenal” .  Certainly, 
they  seem  to  be  the  only  techniques  that  can  presently  find  long  counterexamples,  though,  of  course, 
they  can  only  do  so  on  designs  that  fall  within  their  capacity  limitations. 

Lastly,  our  experiments  lead  us  to  believe  that  new  and  newly  appropriate  verification  methodologies 
can  be  introduced  in  industry,  to  take  advantage  of  these  new  efficiencies.  In  this  paper,  we  have  outlined 
one  such  procedure  for  checking  safety  properties.  Our  hope  is  that  once  such  methodologies  are  accepted, 
the  widespread  use  of  model  checking  will  illuminate  further  possibilities  for  optimization. 
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